sha1 hash using libgcrypt different from what returns sha1sum

David Shaw dshaw at
Tue Nov 12 21:46:47 CET 2013

On Nov 12, 2013, at 12:34 PM, Werner Koch <wk at> wrote:

> On Tue, 12 Nov 2013 00:44, yumkam at said:
>> I strongly believe this is a bug, I have not found any such behavior in standard
> You are right.  This is a limitation of the code which was never hit in
> practice until now - at least I hope so.  The more disturbing fact is
> that this also affects GPG encrypted files: SHA-1 is used for an MDC to
> protect the encrtpted messages.  If both parties use GPG, this won't be
> a problem but it is not standard compliant.
> Now, what shall we do with GPG? 
> - Fix the code and hope that no encrypted files larger than 256GB need
>   decryption?
> - Fix and print a warning for an MDC mismatch in case the file is too
>   long.
> - Fix and add an option to use the unfixed SHA-1 code?  Takes a lot of
>   time for processing.

I suppose it would be nice to have an option to use the unfixed SHA-1 code to be bug-compatible with earlier versions, but how common is this problem?  I'm somewhat surprised that this hasn't come up long before, or possibly it has and people just accepted (or bypassed) the MDC mismatch?

Bug compatible is nice, but it's also really nice to not to have to maintain a second known-incorrect version of the algorithms internally.


More information about the Gnupg-devel mailing list